r3566: Completely replace the queryuseraliases call. The previous implementation does

not exactly match what you would expect.

XP workstations during login actually do this, so we should better become a
bit more correct. The LDAP query issued is not really fully optimal, but it is
a lot faster and more correct than what was there before. The change in
passdb.h makes it possible that queryuseraliases is done with a single ldap
query.

Volker
(This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)

2 files changed, 35 insertions, 219 deletions

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 37617db5e8f..f4348fc83ef 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -3119,31 +3119,19 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_
 
 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
 {
-	int num_groups = 0, tmp_num_groups=0;
-	uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL;
+	int num_groups = 0;
+	uint32 *rids=NULL;
 	struct samr_info *info = NULL;
-	int i,j;
+	int i;
 		
 	NTSTATUS ntstatus1;
 	NTSTATUS ntstatus2;
 
-	/* until i see a real useraliases query, we fack one up */
+	DOM_SID *members;
+	DOM_SID *aliases;
+	int num_aliases;
+	BOOL res;
 
-	/* I have seen one, JFM 2/12/2001 */
-	/*
-	 * Explanation of what this call does:
-	 * for all the SID given in the request:
-	 * return a list of alias (local groups)
-	 * that have those SID as members.
-	 *
-	 * and that's the alias in the domain specified
-	 * in the policy_handle
-	 *
-	 * if the policy handle is on an incorrect sid
-	 * for example a user's sid
-	 * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH
-	 */
-	
 	r_u->status = NT_STATUS_OK;
 
 	DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__));
@@ -3166,40 +3154,43 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u,
 	    !sid_check_is_builtin(&info->sid))
 		return NT_STATUS_OBJECT_TYPE_MISMATCH;
 
+	members = talloc(p->mem_ctx, sizeof(DOM_SID) * q_u->num_sids1);
 
-	for (i=0; i<q_u->num_sids1; i++) {
+	if (members == NULL)
+		return NT_STATUS_NO_MEMORY;
 
-		r_u->status=get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid));
+	for (i=0; i<q_u->num_sids1; i++)
+		sid_copy(&members[i], &q_u->sid[i].sid);
 
-		/*
-		 * if there is an error, we just continue as
-		 * it can be an unfound user or group
-		 */
-		if (!NT_STATUS_IS_OK(r_u->status)) {
-			DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n"));
-			continue;
-		}
+	become_root();
+	res = pdb_enum_alias_memberships(members,
+					 q_u->num_sids1, &aliases,
+					 &num_aliases);
+	unbecome_root();
+
+	if (!res)
+		return NT_STATUS_UNSUCCESSFUL;
 
-		if (tmp_num_groups==0) {
-			DEBUG(10,("_samr_query_useraliases: no groups found\n"));
+	rids = NULL;
+	num_groups = 0;
+
+	for (i=0; i<num_aliases; i++) {
+		uint32 rid;
+
+		if (!sid_peek_check_rid(&info->sid, &aliases[i], &rid))
 			continue;
-		}
 
-		new_rids=(uint32 *)talloc_realloc(p->mem_ctx, rids, (num_groups+tmp_num_groups)*sizeof(uint32));
-		if (new_rids==NULL) {
-			DEBUG(0,("_samr_query_useraliases: could not realloc memory\n"));
+		rids = talloc_realloc(p->mem_ctx, rids,
+				      sizeof(*rids) * (num_groups+1));
+
+		if (rids == NULL)
 			return NT_STATUS_NO_MEMORY;
-		}
-		rids=new_rids;
 
-		for (j=0; j<tmp_num_groups; j++)
-			rids[j+num_groups]=tmp_rids[j];
-		
-		safe_free(tmp_rids);
-		
-		num_groups+=tmp_num_groups;
+		rids[num_groups] = rid;
+		num_groups += 1;
 	}
-	
+	SAFE_FREE(aliases);
+
 	init_samr_r_query_useraliases(r_u, num_groups, rids, NT_STATUS_OK);
 	return NT_STATUS_OK;
 }
diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c
index ce8e02fae79..215471b444c 100644
--- a/source3/rpc_server/srv_util.c
+++ b/source3/rpc_server/srv_util.c
@@ -82,181 +82,6 @@ static const rid_name domain_group_rids[] =
 /*******************************************************************
  gets a domain user's groups
  ********************************************************************/
-NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid)
-{
-	SAM_ACCOUNT *sam_pass=NULL;
-	int i, cur_rid=0;
-	gid_t gid;
-	gid_t *groups = NULL;
-	int num_groups;
-	GROUP_MAP map;
-	DOM_SID tmp_sid;
-	fstring user_name;
-	fstring str_domsid, str_qsid;
-	uint32 rid,grid;
-	uint32 *rids=NULL, *new_rids=NULL;
-	gid_t winbind_gid_low, winbind_gid_high;
-	BOOL ret;
-	BOOL winbind_groups_exist;
-
-	*prids=NULL;
-	*numgroups=0;
-
-	winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high);
-
-
-	DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n", 
-	          sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid)));
-
-	pdb_init_sam(&sam_pass);
-	become_root();
-	ret = pdb_getsampwsid(sam_pass, q_sid);
-	unbecome_root();
-	if (ret == False) {
-		pdb_free_sam(&sam_pass);
-		return NT_STATUS_NO_SUCH_USER;
-	}
-
-	fstrcpy(user_name, pdb_get_username(sam_pass));
-	grid=pdb_get_group_rid(sam_pass);
-	if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) {
-		/* this should never happen */
-		DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n"));
-		pdb_free_sam(&sam_pass);
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	ret = getgroups_user(user_name, &groups, &num_groups);	
-	if (!ret) {
-		/* this should never happen */
-		DEBUG(2,("get_alias_user_groups: getgroups_user failed\n"));
-		pdb_free_sam(&sam_pass);
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	for (i=0;i<num_groups;i++) {
-
-		become_root();
-		ret = get_group_from_gid(groups[i], &map);
-		unbecome_root();
-		
-		if ( !ret ) {
-			DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i]));
-			continue;
-		}
-		
-		/* if it's not an alias, continue */
-		if (map.sid_name_use != SID_NAME_ALIAS) {
-			DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
-			continue;
-		}
-
-		sid_copy(&tmp_sid, &map.sid);
-		sid_split_rid(&tmp_sid, &rid);
-		
-		/* if the sid is not in the correct domain, continue */
-		if (!sid_equal(&tmp_sid, sid)) {
-			DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
-			continue;
-		}
-
-		/* Don't return winbind groups as they are not local! */
-		if (winbind_groups_exist && (groups[i] >= winbind_gid_low) && (groups[i] <= winbind_gid_high)) {
-			DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name));
-			continue;
-		}
-
-		/* Don't return user private groups... */
-		if (Get_Pwnam(map.nt_name) != 0) {
-			DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name));
-			continue;			
-		}
-		
-		new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
-		if (new_rids==NULL) {
-			DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
-			pdb_free_sam(&sam_pass);
-			free(groups);
-			return NT_STATUS_NO_MEMORY;
-		}
-		rids=new_rids;
-		
-		sid_peek_rid(&map.sid, &(rids[cur_rid]));
-		cur_rid++;
-		break;
-	}
-
-	if(num_groups) 
-		free(groups);
-
-	/* now check for the user's gid (the primary group rid) */
-	for (i=0; i<cur_rid && grid!=rids[i]; i++)
-		;
-
-	/* the user's gid is already there */
-	if (i!=cur_rid) {
-		DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n"));
-		goto done;
-	}
-
-	DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name));
-
-	if(!get_group_from_gid(gid, &map)) {
-		DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your "
-		"/etc/passwd and /etc/group files\n", user_name));
-		goto done;
-	}	
-
-	/* the primary group isn't an alias */
-	if (map.sid_name_use!=SID_NAME_ALIAS) {
-		DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
-		goto done;
-	}
-
-	sid_copy(&tmp_sid, &map.sid);
-	sid_split_rid(&tmp_sid, &rid);
-
-	/* if the sid is not in the correct domain, continue */
-	if (!sid_equal(&tmp_sid, sid)) {
-		DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
-		goto done;
-	}
-
-	/* Don't return winbind groups as they are not local! */
-	if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) {
-		DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name ));
-		goto done;
-	}
-
-	/* Don't return user private groups... */
-	if (Get_Pwnam(map.nt_name) != 0) {
-		DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name ));
-		goto done;			
-	}
-
-	new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
-	if (new_rids==NULL) {
-		DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
-		pdb_free_sam(&sam_pass);
-		return NT_STATUS_NO_MEMORY;
-	}
-	rids=new_rids;
-
- 	sid_peek_rid(&map.sid, &(rids[cur_rid]));
-	cur_rid++;
-
-done:
- 	*prids=rids;
-	*numgroups=cur_rid;
-	pdb_free_sam(&sam_pass);
-
-	return NT_STATUS_OK;
-}
-
-
-/*******************************************************************
- gets a domain user's groups
- ********************************************************************/
 BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass)
 {